Backport multiarch container images to v9

Makefile

@@ -13,9 +13,7 @@
 #   Master/dev branch: "1.0.0-dev"
 VERSION=9.3.22
 
-DOCKER_IMAGE_QUAY ?= quay.io/gravitational/teleport
-DOCKER_IMAGE_ECR ?= public.ecr.aws/gravitational/teleport
-DOCKER_IMAGE_STAGING ?= 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport
+DOCKER_IMAGE ?= teleport
 
 GOPATH ?= $(shell go env GOPATH)
 
@@ -345,11 +343,10 @@ release-arm64:
 	$(MAKE) release ARCH=arm64
 
 #
-# make release-unix - Produces a binary release tarball containing teleport,
-# tctl, and tsh.
+# make build-archive - Packages the results of a build into a release tarball
 #
-.PHONY:
-release-unix: clean full
+.PHONY: build-archive
+build-archive:
 	@echo "---> Creating OSS release archive."
 	mkdir teleport
 	cp -rf $(BUILDDIR)/* \
@@ -362,6 +359,13 @@ release-unix: clean full
 	tar $(TAR_FLAGS) -c teleport | gzip -n > $(RELEASE).tar.gz
 	rm -rf teleport
 	@echo "---> Created $(RELEASE).tar.gz."
+
+#
+# make release-unix - Produces a binary release tarball containing teleport,
+# tctl, and tsh.
+#
+.PHONY:
+release-unix: clean full build-archive
 	@if [ -f e/Makefile ]; then \
 		rm -fr $(ASSETS_BUILDDIR)/webassets; \
 		$(MAKE) -C e release; \
@@ -907,46 +911,17 @@ install: build
 	cp -f $(BUILDDIR)/teleport  $(BINDIR)/
 	mkdir -p $(DATADIR)
 
-
 # Docker image build. Always build the binaries themselves within docker (see
 # the "docker" rule) to avoid dependencies on the host libc version.
 .PHONY: image
-image: clean docker-binaries
+image: OS=linux
+image: TARBALL_PATH_SECTION:=-s "$(shell pwd)"
+image: clean docker-binaries build-archive oss-deb
 	cp ./build.assets/charts/Dockerfile $(BUILDDIR)/
-	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_QUAY):$(VERSION)
+	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE):$(VERSION)-$(ARCH) --target teleport \
+		--build-arg DEB_PATH="./teleport_$(VERSION)_$(ARCH).deb"
 	if [ -f e/Makefile ]; then $(MAKE) -C e image; fi
 
-.PHONY: publish
-publish: image
-	docker push $(DOCKER_IMAGE_QUAY):$(VERSION)
-	if [ -f e/Makefile ]; then $(MAKE) -C e publish; fi
-
-.PHONY: publish-ecr
-publish-ecr: image
-	docker tag $(DOCKER_IMAGE_QUAY) $(DOCKER_IMAGE_ECR)
-	docker push $(DOCKER_IMAGE_ECR):$(VERSION)
-	if [ -f e/Makefile ]; then $(MAKE) -C e publish-ecr; fi
-
-# Docker image build in CI.
-# This is run to build and push Docker images to a private repository as part of the build process.
-# When we are ready to make the images public after testing (i.e. when publishing a release), we pull these
-# images down, retag them and push them up to the production repo so they're available for use.
-# This job can be removed/consolidated after we switch over completely from using Jenkins to using Drone.
-.PHONY: image-ci
-image-ci: clean docker-binaries
-	cp ./build.assets/charts/Dockerfile $(BUILDDIR)/
-	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_STAGING):$(VERSION)
-	if [ -f e/Makefile ]; then $(MAKE) -C e image-ci; fi
-
-.PHONY: publish-ci
-publish-ci: image-ci
-	@if DOCKER_CLI_EXPERIMENTAL=enabled docker manifest inspect $(DOCKER_IMAGE_STAGING):$(VERSION) 2>&1 >/dev/null; then\
-		echo "$(DOCKER_IMAGE_STAGING):$(VERSION) already exists. ";     \
-	else                                                                \
-		docker push $(DOCKER_IMAGE_STAGING):$(VERSION);                 \
-	fi
-	if [ -f e/Makefile ]; then $(MAKE) -C e publish-ci; fi
-
 .PHONY: print-version
 print-version:
 	@echo $(VERSION)
@@ -1002,13 +977,17 @@ rpm:
 rpm-unsigned:
 	$(MAKE) UNSIGNED_RPM=true rpm
 
-# build .deb
-.PHONY: deb
-deb:
+# build open source .deb only
+.PHONY: oss-deb
+oss-deb:
 	mkdir -p $(BUILDDIR)/
 	cp ./build.assets/build-package.sh $(BUILDDIR)/
 	chmod +x $(BUILDDIR)/build-package.sh
 	cd $(BUILDDIR) && ./build-package.sh -t oss -v $(VERSION) -p deb -a $(ARCH) $(RUNTIME_SECTION) $(TARBALL_PATH_SECTION)
+
+# build .deb
+.PHONY: deb
+deb: oss-deb
 	if [ -f e/Makefile ]; then $(MAKE) -C e deb; fi
 
 # check binary compatibility with different OSes

build.assets/charts/Dockerfile

@@ -1,4 +1,9 @@
-FROM ubuntu:20.04
+# Stage to build the image, without FIPS entrypoint argument
+FROM ubuntu:20.04 AS teleport
+
+# Copy the deb archive
+ARG DEB_PATH
+COPY ${DEB_PATH?} /tmp/teleport.deb
 
 # Install dumb-init and ca-certificates. The dumb-init package is to ensure
 # signals and orphaned processes are are handled correctly. The ca-certificate
@@ -39,18 +44,22 @@ FROM ubuntu:20.04
 # "apt-get update" to reduce the size of the image.
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get upgrade -y && \
+    # Install dependencies
     DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y ca-certificates dumb-init libelf1 && \
+    # Install tools
     DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y net-tools iputils-ping inetutils-telnet netcat tcpdump busybox && \
     busybox --install -s && \
     update-ca-certificates && \
+    # Install Teleport
+    dpkg -i /tmp/teleport.deb && \
+    # Cleanup
     apt-get -y clean && \
-    rm -rf /var/lib/apt/lists/*
-
-# Bundle "teleport", "tctl", "tbot", and "tsh" binaries into image.
-COPY teleport /usr/local/bin/teleport
-COPY tctl /usr/local/bin/tctl
-COPY tsh /usr/local/bin/tsh
-COPY tbot /usr/local/bin/tbot
+    rm -rf /var/lib/apt/lists/* && \
+    rm -rf /tmp/*
 
 # By setting this entry point, we expose make target as command.
 ENTRYPOINT ["/usr/bin/dumb-init", "teleport", "start", "-c", "/etc/teleport/teleport.yaml"]
+
+# Stage to launch Teleport with the fips argument
+FROM teleport AS teleport-fips
+ENTRYPOINT ["/usr/bin/dumb-init", "teleport", "start", "-c", "/etc/teleport/teleport.yaml", "--fips"]

dronegen/common.go

@@ -33,6 +33,16 @@ const (
 	// ProductionRegistryQuay is the production image registry that hosts images on quay.io. Will be deprecated in the future.
 	// See RFD 73 - https://github.com/gravitational/teleport/blob/c18c09f5d562dd46a509154eab4295ad39decc3c/rfd/0073-public-image-registry.md
 	ProductionRegistryQuay = "quay.io"
+
+	// Go version used by internal tools
+	GoVersion = "1.18"
+
+	// The name of this service must match k8s.io/apimachinery/pkg/util/validation `IsDNS1123Subdomain`
+	// so that it is resolvable
+	// See https://github.com/drone-runners/drone-runner-kube/blob/master/engine/compiler/compiler.go#L398
+	// for details
+	LocalRegistryHostname string = "drone-docker-registry"
+	LocalRegistrySocket   string = LocalRegistryHostname + ":5000"
 )
 
 var (
@@ -99,12 +109,20 @@ func pushTriggerFor(branches ...string) trigger {
 	return t
 }
 
+func cronTrigger(cronJobNames []string) trigger {
+	return trigger{
+		Cron: triggerRef{Include: cronJobNames},
+		Repo: triggerRef{Include: []string{"gravitational/teleport"}},
+	}
+}
+
 func cloneRepoCommands(cloneDirectory, commit string) []string {
 	return []string{
 		fmt.Sprintf("mkdir -pv %q", cloneDirectory),
 		fmt.Sprintf("cd %q", cloneDirectory),
-		`git init && git remote add origin ${DRONE_REMOTE_URL}`,
-		`git fetch origin --tags`,
+		"git init",
+		"git remote add origin ${DRONE_REMOTE_URL}",
+		"git fetch origin --tags",
 		fmt.Sprintf("git checkout -qf %q", commit),
 	}
 }
@@ -204,6 +222,27 @@ func dockerService(v ...volumeRef) service {
 	}
 }
 
+// Starts a container registry service at `LocalRegistrySocket`
+// This can be pushed/pulled to via `docker push/pull <LocalRegistrySocket>:5000/image:tag`
+func dockerRegistryService() service {
+	return service{
+		Name:  LocalRegistryHostname,
+		Image: "registry:2",
+	}
+}
+
+// dockerVolumes returns a slice of volumes
+// It includes the Docker socket volume by default, plus any extra volumes passed in
+func dockerVolumes(v ...volume) []volume {
+	return append(v, volumeDocker)
+}
+
+// dockerVolumeRefs returns a slice of volumeRefs
+// It includes the Docker socket volumeRef as a default, plus any extra volumeRefs passed in
+func dockerVolumeRefs(v ...volumeRef) []volumeRef {
+	return append(v, volumeRefDocker)
+}
+
 // releaseMakefileTarget gets the correct Makefile target for a given arch/fips/centos combo
 func releaseMakefileTarget(b buildType) string {
 	makefileTarget := fmt.Sprintf("release-%s", b.arch)
@@ -232,6 +271,18 @@ func waitForDockerStep() step {
 	}
 }
 
+// waitForDockerStep returns a step which checks that the Docker registry is ready
+func waitForDockerRegistryStep() step {
+	return step{
+		Name:  "Wait for docker registry",
+		Image: "alpine",
+		Commands: []string{
+			"apk add curl",
+			fmt.Sprintf(`timeout 30s /bin/sh -c 'while [ "$(curl -s -o /dev/null -w %%{http_code} http://%s/)" != "200" ]; do sleep 1; done'`, LocalRegistrySocket),
+		},
+	}
+}
+
 func verifyTaggedStep() step {
 	return step{
 		Name:  "Verify build is tagged",
@@ -251,13 +302,29 @@ func cloneRepoStep(clonePath, commit string) step {
 	}
 }
 
-func verifyNotPrereleaseStep(checkoutPath string) step {
+func verifyNotPrereleaseStep() step {
+	clonePath := "/tmp/repo"
+	commands := []string{
+		"apk add git",
+	}
+	commands = append(commands, cloneRepoCommands(clonePath, "${DRONE_TAG}")...)
+	commands = append(commands,
+		fmt.Sprintf("cd %q", path.Join(clonePath, "build.assets", "tooling")),
+		"go run ./cmd/check -tag ${DRONE_TAG} -check prerelease || (echo '---> This is a prerelease, not continuing promotion for ${DRONE_TAG}' && exit 78)",
+	)
+
 	return step{
-		Name:  "Check if tag is prerelease",
-		Image: "golang:1.18-alpine",
-		Commands: []string{
-			fmt.Sprintf("cd %q", path.Join(checkoutPath, "build.assets", "tooling")),
-			"go run ./cmd/check -tag ${DRONE_TAG} -check prerelease || (echo '---> This is a prerelease, not continuing promotion for ${DRONE_TAG}' && exit 78)",
-		},
+		Name:     "Check if tag is prerelease",
+		Image:    fmt.Sprintf("golang:%s-alpine", GoVersion),
+		Commands: commands,
 	}
 }
+
+func getStepNames(steps []step) []string {
+	stepNames := make([]string, 0, len(steps))
+	for _, step := range steps {
+		stepNames = append(stepNames, step.Name)
+	}
+
+	return stepNames
+}